Skip to content

sweetalert2 v8.19.1 and above contains hidden functionality

Low severity GitHub Reviewed Published Nov 23, 2022 to the GitHub Advisory Database • Updated Sep 24, 2025

Package

npm sweetalert2 (npm)

Affected versions

>= 8.19.1, < 9.0.0

Patched versions

11.22.4

Description

sweetalert2 versions 8.19.1 and up until 9.0.0 are vulnerable to hidden functionality that was introduced by the maintainer. The package outputs audio and/or video messages that do not pertain to the functionality of the package and is not included in versions below 8.19.1.

Workaround

Users who are unable to update to the fixed version (11.22.4) can use package versions 8.19.0 and below, as they do not contain the hidden functionality.

References

Published to the GitHub Advisory Database Nov 23, 2022
Reviewed Nov 23, 2022
Last updated Sep 24, 2025

Severity

Low

EPSS score

Weaknesses

Hidden Functionality

The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-8jh9-wqpf-q52c

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.